I'm looking for a reliable way to ensure that the SME owner and our main office manager have admin access to our Microsoft 365 domain, particularly in case something happens to me. I have some cardiac procedures coming up, and I've alerted them that I may be slow to respond afterward. The office manager is understandably concerned about the process if I end up in a tough spot at the hospital.
We're a small team of about 15 people in the retail sector, and our office manager isn't very tech-savvy. He might get overwhelmed by the complexities of services like Microsoft Entra or Azure, even though he can handle creating shared mailboxes or groups. I want to know if anyone has encountered situations where they didn't have proper provision in place and what lessons were learned. My ideal solution is something straightforward yet secure enough to deter any casual tampering. I'm keen to hear your experiences and suggestions!
6 Answers
You might want to set up secondary admin accounts that use Yubikeys for multi-factor authentication. Keep the usernames and passwords in a sealed envelope stored securely. This is a good practice regardless of your medical situation. It’s often referred to as a 'break glass' account.
Thanks for the tip!
I'd suggest creating a break glass account with the password divided into two separate envelopes, one for each person you trust. This way, in case of an emergency, they both need to work together to access it.
I've been in a similar situation before. We had to regain ownership of a domain first, which was a hassle. If you're anticipating medical issues, get a managed service provider involved sooner rather than later and make sure to document everything for non-technical staff. They can help navigate the process if necessary.
Everyone talks about secure storage, but consider having your lawyer hold onto the credentials instead. If your team needs access, they can just reach out to your lawyer, preventing any temptation to misuse the credentials themselves.
Break glass accounts are really the way to go. The key is that they shouldn't be given full admin access unless absolutely necessary. Consider using Privileged Identity Management (PIM) as a secondary option if you're worried about security.
In our company, we keep the break glass account's credentials and a Yubikey hidden in a safe that only a few trusted people can access. We randomized the password once a year to enhance security.
What you're looking for is commonly known as a 'break glass' solution. It's not only useful for emergencies like being unavailable but also for any situation when your regular admin access might be compromised. Check out Microsoft’s recommendations for emergency access on their site; they apply broadly to Azure tenants too.
That sounds like a solid plan! I did something similar when I was the only IT person in a small organization—gave one person the MFA key to hold and locked the password in a vault only the head of accounting could access. That way, it required coordination to get access.